A group of cybercriminals known as Asylum Ambuscade engage in cyber espionage and cybercrime, attacking small and medium-sized companies around the world. This group has been active since 2020 and has been first discovered company Proofpoint in March 2022.

According to new data ESET, the Asylum Ambuscade faction, in their latest campaigns, uses specialized phishing emails with malicious documents that launch a malicious VBScript– code and exploit for the vulnerability CVE-2022-30190 . Exploitation results in the installation of the Sunseed malware, which downloads the Akhbot secondary module from C2 servers intruders.

In 2023, Asylum Ambuscade expanded its target audience by attacking bank customers, cryptocurrency traders, government agencies and various small and medium businesses in North America, Europe and Central Asia.

ESET notes that hackers are also exploiting new vectors of compromise, including malicious Google ads that redirect users to sites with malicious JavaScript-code. In addition, since March 2023, hackers have started using the new Nodebot tool, which is a port of Ahkbot on Node.js.

The malware can take screenshots, extract passwords from Internet Explorer, Firefox and Chromium browsers, and download additional AutoHotkey plugins to the infected device. These plugins have different functionality such as loading Cobalt Strikeinstalling Chrome for hVNClaunching a keylogger, deploying Rhadamanthys infostealer, launching a commercially available RAT and other.

ESET estimates that Asylum Ambuscade has infected about 4,500 victims since January 2022, which equates to approximately 265 victims per month. This makes this group a very serious threat to organizations around the world.

The aims and motives of Asylum Ambuscade are still unclear. While the hackers are clearly targeting cryptocurrencies and bank accounts for profit, SMB infestations could also indicate cyber espionage.

It is possible that hackers sell access to the networks of these companies to other cybercriminals to inject, for example, ransomware, but ESET did not find any evidence for this hypothesis.